For organizational users, a rule of thumb is that "large scale"
-means an installed base of 300,000 or more Xen guests. Other
-well-established organisations with a mature security response process
-will be considered on a case-by-case basis.

+means an installed base of 300,000 or more Xen guests.

The list of entities on the pre-disclosure list is public. (Just
the list of projects and organisations, not the actual email
addresses.)

If not all of your products/services use Xen, a list of (some
+ of) your products/services (or categories thereof) which do.

+

Link(s) to current public web pages, belonging to your
+ organisation, for each of following pieces of information:
+

+

Evidence of your status as a service/software provider:
+

+

If you are a public hosting provider, your public rates
+ or how to get a quote

+

If you are a software provider, how your
+ software can be downloaded or purchased

+

If you are an open-source project, a mailing list
+ archive and/or version control repository, with
+ active development

+

+

+

Evidence of your status as a user/distributor of Xen:
+

+

Statements about, or descriptions of, your eligible
+ production services or released software, from which it is
+ immediately evident that they use Xen.
+

+

+

Information about your handling of security problems:
+

+

Your invitation to members of the public, who discover
+ security problems with your products/services, to report
+ them in confidence to you;
+

Specifically, the contact information (email addresses or
+ other contact instructions) which such a member of the
+ public should use.
+

+

+

+

Blog postings, conference presentations, social media pages,
+ Flash presentations, videos, sites which require registration,
+ anything password-protected, etc., are not acceptable. PDFs of
+ reasonable size are acceptable so long as the URL you provide is
+ of a ordinary HTML page providing a link to the PDF.

+

If the pages are long and/or PDFs are involved, your email
+ should say which part of the pages and documents are relevant.

+

A statement to the effect that you have read this policy and
agree to abide by the terms for inclusion in the list, specifically
the requirements to regarding confidentiality during an embargo
period

-

Evidence that will be considered may include the following:
-

-

If you are a public hosting provider, a link to a web page
- with your public rates

-

If you are a software provider, a link to a web page where
- your software can be downloaded or purchased

-

If you are an open-source project, a link to a mailing list
- archive and/or a version control repository demonstrating active
- development

-

A public key signed with a key which is in the PGP "strong
- set"

-

-

+

The single (non-personal) email alias you wish added to the
+ predisclosure list.

-

Organizations already on the list who do not have a security alias
-or have not sent a statement that they have read this policy and will
-abide by, it will be asked to do so.

+

Your application will be determined by the Xen Project Security
+Team, and their decision posted to the list. The Security Team has
+no discretion to accept applications which do not provide all of the
+information required above.

+

If you are dissatisfied with the Security Team's decision you may
+appeal it via the Xen Project's governance processes.

Organisations should not request subscription via the mailing list
web interface. Any such subscription requests will be rejected and
ignored.